Country

Article 5(3) implemented?

Applicable Legislation

Austria

Yes

Telekommunikationsgesetz 2003 as amended by BGBl I Nr. 102/2011. http://www.rtr.at/de/tk/tkg2003

Belgium

No

Bulgaria

Yes

Cyprus

No

Electronic Commerce Act was amended to implement Article 5(3). http://bit.ly/KPgKoO The Electronic Communications and Postal Services Law of 2004 (112(I)/2004)(draft) http://bit.ly/KgpenS Act No. 468/2011 Coll. which amended Act No. 127/2005 Coll., on Electronic Communications. (i) Act No 169 of 3 March 2011 on Electronic Communications Services and Networks and (ii) Executive Order No 1148 of 9 December 2011 on Information and Consent Required in Case of Storing and Accessing Information in End-user Terminal Equipment http://bit.ly/IOZRUR The Ministry has proclaimed that the Directive has already been satisfied by Article 102 of the Estonian Electronic Communications Act and no further action is required.

Czech Republic

Yes

Denmark

Yes

Estonia

n/a

Finland

Yes

The Act on the Protection of Privacy in Electronic Communications (516/2004). http://bit.ly/JrmWzH

France

Yes

Ordinance of 24 August 2011 number 2011-1012. http://www.cnil.fr/english/official-texts/

Germany

No

A Bill was first drafted to amend the Telecommunications Act on March 4, 2011.

Greece

No

Greek Data Protection Authority issued Opinion 7/14-12-2011 that Article 4, paragraph 5 of Law 3471/2006.

Hungary Iceland

Yes No

Amendment to the Hungarian Act on Communications (the Act CVII of 2011 Implementing Article 5(3) of the Directive) new Section 155(4). No activity towards implementation.

Ireland

Yes

European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (SI 336 of 2011). http://bit.ly/M5dPYA

Italy

No

A law was passed in April, 2012 implementing the Directive in part.

Latvia Liechtenstein

Yes No

Law on Information Society Services, art. 71. http://bit.ly/IP0n5e No activity towards implementation.

Lithuania

Yes

The Law on Electronic Communications of the Republic of Lithuania No IX-2135.

Luxembourg

Yes

Implemented the revised Article 5(3) of the Directive plus some elements of recital 66 on July 28, 2011.

Malta

No

Processing of Personal Data (Electronic Communications Sector) Amendment Regulations, Legal Notice 239 published in the Government Gazette on 24 June 2011. http://idpc.gov.mt/dbfile.aspx/LN239.p df

Netherlands

No

The Dutch Lower House voted on a motion, however the Upper House has yet to approve it.

Norway

No

Poland

No

Ekomforskriften 7-3. http://www.lovdata.no/for/sf/sd/xd20040216-0401.html#7-3 The Polish Ministry of Transport, Construction and Maritime Economy has published a draft Act aiming to implement the revised Article 5(3) of the Directive.

Portugal

No

L 41/2004, of 18 of August, but a draft Bill is also currently under review before the council of ministers but is not publicly available.

Romania

No

A draft Government Emergency Ordinance implementing provisions of the amended Article 5(3) of the Directive was submitted for public consultation on October 7, 2011.

Slovakia

Yes

Act. No. 351/2011 Coll. on electronic communications. http://bit.ly/J6jJm3

Slovenia

No

Draft Electronic Communications Act which would implement the revised Article 5(3).

Spain

Yes

The law on the Information Society and Electronic Commerce 34/2002 was amended by Royal Decree 13/2012. http://bit.ly/KfNPUi

Sweden

Yes

Electronic Communications Act (Sw. lag 2003:389 om elektronisk kommunikation).

United Kingdom

Yes

The Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. http://bit.ly/IT2IBk

Implementation Status

The amendment implementing Article 5(3) came into effect on November 22, 2011.

Responsible Authority for implementation Austrian Regulatory Authority for Broadcasting and Telecommunications (RTR) http://www.rtr.at/en/rtr/rtrgmbh/ Austrian Data Protection Authority (DSK) https://www.dsk.gv.at/DesktopDefault.a spx?alias=dsken

'Opt-in' consent required?

Yes

A consultation paper by the Belgian Telecommunications regulator proposed "prior and written consent" however no legislation has been presented at this time. http://www.ibpt.be/fr/1/Home/Accue il/Accueil.aspx http://bit.ly/K9PXhX

n/a

The Electronic Commerce Act amendments came into effect on December 29th, 2011. The Directive has not yet been implemented but (112(I)/2004) is a draft which follows the wording of the Directive closely. The Directive has been implemented by Act No. 468/2011 Coll., and is effective as January 1, 2012.

Consumer Regulation Commission http://www.crc.bg/ Office of the Commissioner of Electronic Communications and Postal Regulation. http://bit.ly/J641HC

Yes

No

Office for Personal Data Protection (OPDP). http://www.ctu.cz/

No

Implemented on December 14, 2011.

Ministry of Business and Growth http://www.evm.dk/english

Yes

n/a

Ministry of Economic Affairs and Communications http://www.mkm.ee/en

TBD

Implemented on May 25, 2011.

The Finnish Communications Regulatory Authority (FICORA), the Data Protection Ombudsman. http://www.ficora.fi/en/

No

Came into effect on August 27, 2011 & guidance provided by the CNIL on October 26, 2011.

Commission nationale de Linformatique of des liberts (CNIL) http://www.cnil.fr/english/the-cnil/

Yes, for most cookies (e.g. tracking cookies)

There has been substantial criticism of the draft legislation and it is unlikely to become law and the process of implementing the Directive Article 5(3) into the Likely the Regulierungsbehoerde fr German Telecommunications Act Telekommunikation und Post is delayed. http://www.regtp.de/ The Directive has not yet been implemented however if Opin. 7/1412-2011 transposes the old "notice and opt-out" regime under the Directive and should be interpreted as if cookie consent requirements had been implemented.

TBD

Likely the EETT (National Telecommunications and Post Commission) when a law is passed. http://www.eett.gr/opencms/opencms/E ETT

No

Became effective on August 3, 2011.

Likely the Ministry of Transport, Communication and Water Management http://www.kim.gov.hu/index_hu.html

No (original bill submitted required 'prior' consent but was removed) n/a

Came into full effect on July 1, 2011 and there is no formal lead in date as provided in the UK, therefore businesses must legally comply immediately as of July 1, 2011.

Data Protection Commissioner http://dataprotection.ie/docs/Home/4.ht m http://www.comreg.ie/ Likely the Italian Communications Authority http://www.agcom.it/Home.aspx however it is believed that the necessary law required to delegate this implementation responsibility is not yet in force.

No

No

The amendments became effective Data State Inspectorate June 8, 2011. http://www.dvi.gov.lv/eng/.

Yes n/a

The amendment came into effect on August 1, 2011.

State Data Protection Inspectorate http://www.ada.lt/index.php?lng=en

Yes

The implementation plus some elements of recital 66 came into effect on September 1, 2011.

Likely the Institut Luxembourgeois des Tlcommunications http://www.ilr.public.lu/

Yes

Not yet in effect and there is no set date for effectiveness, however, indications were that they would be put into effect sometime in 'early 2012' and possibly given a 12 month transitional period to enable Likely the Malta Communications companies to implement. Authority http://www.mca.org.mt/

No

If the law should pass it's effective date would be June 2012.

Likely OPTA http://www.opta.nl/nl/ The Ministry of Transport and Communications http://www.regjeringen.no/en/dep/sd.ht ml?id=791

Yes

There has been a delay in proceedings.

TBD (appears it would be in line with opt-in).

Likely the UKE It would be implemented by an http://www.en.uke.gov.pl/ukeen/index.js Yes for targeted amendment to Article 173 of Polish p?place=Menu07&news_cat_id=79&lay advertising, otherwise Telecommunications Law. out=0 no.

CPND (local DPA)/ ANACOM

Yes for nonrequested communications with marketing purposes, otherwise No.

The legislative procedure was abandoned.

Likely the National Regulatory Authority for Communications http://www.anrc.ro/

No

Became effective November 1, 2011. (Section 81)

Likely the Telecommunications Office of the Slovak Republic http://www.teleoff.gov.sk/

No

Draft was published end of October 2011 but has not been adopted by the Slovenian Parliament yet and offered the European Commission Likely to be Ministry of Transport and partial notification for the Communications implementation of the new law. http://www.ukom.gov.si/

No

The amendment came into force April 2, 2012.

No

The Act came into full effect on July Swedish Post and Telecom 1, 2011. Agency. http://www.pts.se/en-gb/

No

The Regulations came into full force on May 26, 2011. However, the ICO has indicated they would give businesses 12 months to comply, May 2012.

Information Commissioners Office (ICO) http://www.ico.gov.uk/

No

Legal Requirement(s) Actual & Potential

Informed consent- user must be aware that consent has been given, the basis for and the purpose of processing data, and the duration of storage.

n/a Online Services providers must provide "clear and comprehensive information" about the purpose for processing cookies and give users the "opportunity to refuse" storing or accessing such information. Additionally, the use use of the online service cannot be made dependent upon the user's consent to cookies.

Current position is that users be able to 'opt-out' until the draft bill or one similar is presented to parliament and passed. Notice and opt-out is the current standard and the Directive is reflected in the Act on electronic Communications in Section 89 Part 3 of the Act. The language is almost identical to the Directive and therefore it's not very clear what standard of consent is required, however, consent must be freely given and specific. A user does not have to give consent each time a cookie is used, but consent must be informed which implies they are given information about the consequences of consenting. In the Regulatory Guidelines there is mention of both strict opt-in as well as "soft" or implied consent which means if a user continues to use a website after receiving clear information then the user will be deemed to have given consent to the use of cookies.

Not only includes the wording of the Directive but also some elements of recital 66 which recognizes the possibility of obtaining consent via browser/other application settings. Therefore the the requirement is 'consent' qualified by an express reference to the ability to rely on browser or other application settings. The saving of and use of data is not allowed beyond what is 'necessary.' The Ordinance requires 'consent' qualified by an express reference to being able to rely on browser or other application settings however, the CNIL October 2011 guidance provides: consent must be i) freely given ii) specific (for each cookie) iii) informed. Browser settings can be used for consent, unfortunately many browsers do not offer settings to satisfy the requirements. The CNIL adds that consent must be given prior to service of the cookie and certain cookies set for storing expressed user preferences or for maintaining website security do not require consent. The CNIL also considers the following mechanisms as compliant: i) a banner at the top of the webpage (www.ico.gov.fr) ii) consent request zone overlaid on the website's homepage iii) click boxes. The draft Bill states: "Individual issues of implementation of the amendment of [Art. 5(3)] of Directive 2002/58/EC are currently the subject of extensive consultations at European level, which include self-regulatory approaches of the advertising industry. The results of this process shall be awaited before decision about further legislative action will be made." Therefore, for the time being the approach is self-regulatory.

While not yet implemented into law, the regulatory requirement is "consent" qualified by the ability to rely on browser or other application settings. The Hungarian Authorities have not given any guidance on the meaning of 'consent,' however, general practice that consent is met through appropriate browser or other application settings. New Section 155(4) of the Act on Electronic Communications provides that "data may be stored or accessed on the terminal equipment of the subject end-user or subscriber after the provision of clear and comprehensive information-including the purpose of data processing-if consent of the end-user or subscriber has been granted hereto." Moreover, Hungary has not implemented the exemptions to Article 5(3) that allow cookies to be served without consent where strictly necessary to provide a user-requested service. n/a

No information is provided in the Regulations on how information should be provided or consent is to be obtained. The only guidance is in that information and consent should be as "userfriendly as possible" but that "where it is technically possible and effective... the user's consent to the storing of information or to gaining access to information already stored may be given by the use of appropriate browser settings or other technological application by means of which the user can be considered to have given his or her consent." In addition, the Regulations do not apply to cookies that are "strictly necessary in order to provide an information society service specifically requested" by the user. The law passed implementing the Directive in part allows the storing of information in the terminal equipment of a user upon the condition that the user concerned has i) given his consent ii) having been provided with clear and comprehensive information iii) particularly by means of the settings of the browser or of other applications. The amendments do not specifically address obtaining consent via browser settings indicating that an 'opt-in' consent requirement may apply. Consent may obtained in accordance with Personal Data Protection Law. No official guidance has been given by the Data State Inspectorate yet. n/a The amendments require opt-in (cookies can only be served where the individual has consented in advance of receiving them) first being provided with clear and comprehensive information about their use. The Data Protection Inspectorate published guidance stating that consent may be obtained through i) popups ii) banners or iii) website registration (where users have already consented to data protection terms as part of a previous registration, it is not sufficient simply to vary these terms to obtain cookie consent- a 'fresh' cookie consent must be obtained). Browser settings will not be valid. Consent is not required "for technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary for the provision of an information society service explicitly requested by the subscriber or user." Prior informed consent is required and the Act provides that (i) the methods of providing information and offering the right to refuse should be as user-friendly as possible and (ii) where it is technically possible and effective, the user's consent to processing may be expressed by appropriate browser or other application setting.

Legal notice 239 of 2011 copies the wording of revised Article 5(3) and do not specifically state what type of consent is required. If passed by the Upper House in the form the Lower House passed, the new "cookie law" incorporated in the Dutch Communications Act (article 11.a under 1), website operators will be required to obtain prior consent from users before they can store or gain access to cookies on the user's computer (i.e. optin). As a consequence, current browser settings are insufficient to obtain consent. According to the last sentence of new article 11.7a under 1 DTA, cookies served to collect information for targeted advertising purposes is assumed to entail a processing of personal data requiring compliance with the Dutch Data Protection Act. The discussion on this bill by the Upper House was reported and published on October 17, 2011 and the answers of the competent ministers were published on December 13, 2011. The Norwegian government is considering a proposal to prohibit processing cookies without valid consent from individuals. When it will be adopted and if browser or other application settings can be relied upon to gain consent is unclear.

According to the Ministry, consent referred to in amendment Article 5(3) can be obtained by relevant browser settings and the draft amendment states this specifically. L 41/2004, of 18 of August provides that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or of any user shall only be allowed where the following conditions have been met: (a) the subscriber or user concerned has been provided with clear and comprehensive information, namely about the purposes of the processing, in accordance with the provisions laid down in the Law on the Protection of Personal Data; (b) the right to refuse such processing has been offered to the subscriber or user "opt-out."

Under the Draft, storage of cookies is generally allowed subject to the following conditions: i) the user has been given clear and comprehensive information, and ii) the user has given his or her consent. Consent may be given by: i) the use of internet browser settings or similar technologies whereby the subscriber/user may be deemed to have given his consent, and/or ii) the listing by the subscriber/user of the providers to whom he denies the storage or access to the stored information (i.e. a 'do not track' list). The Act recognises the possibility of obtaining consent via browser settings/other application settings as contained in recital 66. The legal requirement is "consent given on the basis of clean and complete information; as the user's consent is also deemed the using of the appropriate settings of a browser or other application."

The Draft Electronic Communications Act contains the wording of the Revised Article 5(3). Cookies may be served as long as individuals have provided their consent, having been given clear and comprehensive information, in particular about the purposes for which their personal data will be processed. Express consent is not required. Where it is possible and effective, consent may be provided using browser settings as long as this requires a positive action from the individual. There is disagreement as to what constitutes consent among the Data Inspection Board, the Swedish Post and Telecom Agency, and the approach taken by the Article 29 Working Party. The Directive has been implemented and requires users' consent to cookies, for the time being it seems to be understood that this can be achieved relying on browser settings, however, this should be kept under close review and some authorities are choosing be on the safe side and collect consent. The ICO has published advice on how UK business can comply with the new Regulations, together with details on how it proposes to enforce the new regulations: http://bit.ly/J6mbZK & http://bit.ly/Jl8k5q What is legally required is qualified by an explicit reference to the ability to rely on browser settings. However, the ICO indicates that current browser settings are insufficient. The ICO expects organizations to audit their website cookie use, asses the intrusiveness of the cookies they serve, and then determine appropriate cookie consent strategies. While the ICO expects that consent ordinarily be obtained before a cookie is served, the ICO acknowledges the possibility of reliance on both implied and 'after the event' consent in appropriate contexts.